We claim: 

1 . A method of tracing data traffic on a network, the method comprising: 
at the transport layer of a protocol stack residing on a first device in the network, 
detecting a transmission or receipt of data to or from a second device on the network; and 
in response to the transmission or receipt being detected, recording the transmission or 
receipt as an entry in a trace log, wherein the trace log is accessible to determine the 
volume of data traveling over a network. 

2. The method of claim 1, wherein the protocol stack is a TCP/IP stack. 

3. The method of claim 1, wherein the detection step further comprises the 
step of detecting the presence of an input/output packet representing the transmission or 
receipt. 

4. A methcM of tracing a transmission of data over a computer network 
comprising: detecting tme presence of an input/output packet requesting a transmission; 
searching the input/outpmt request packet to determine the identity of the process that 
created the input/output request packet; and storing in a trace log an entry representing 
the transmission, whereinlthe entry comprises the identity of the process, and wherein the 
trace log is accessible to determine the volume of data being transmitted over the 
network. t 

5. The method of claim 4, further comprising: detecting an 
acknowledgment of the transmission; and in response to the detection of the 
acknowledgment, storing in the trace log an entry representing the completion of the 
transmission. 

6. A method of tracing a receipt of data from a computer network 
comprising: detecting the presence of a packet for an input/output connection to a port; 
searching the packet to determine the identity of the process that created the packet; and 
in response to the detection of a receipt of data at the port, storing in a trace log an entry 



representing the receipt of the data, wherein the entry comprises the process 
identification, and wherein the trace log is accessible to determine the volume of the data 
being transmitted over tme network. 

5 7. The method of claim 6, further comprising: creating a connection object 

representing the opening of the port connection by the process; copying the process 
identification from the connection object into a transport control block associated with 
the port; and in response to the detection of the receipt of data at the port, copying the 
process identification into the trace log. 
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8. The method of claim 7, further comprising: copying the process 
identification from the connection object into the transport control block so that the 
process identification is contiguous with the rest of the data in the transport control block. 

15 9. The method of claim 8, further comprising: detecting the presence of an 

input/output request packet indicating that the data receipt is complete; and in response to 
the detection of the completion input/ouput request packet, making an entry representing 
the receipt of the data into a trace log. 

20 10. A faciliw for tracing data traffic on a network, the facility comprising: an 

identifying means for identifying a process causing a transmission or receipt of a 

^ communication via the network; and a logging means in communication with the 

identifying means for logging and event, wherein the event comprises the identification 
the process and wherein the logging means is useable to determine the volume of data 

25 traveling over the network! 

1 1 . The apparatus of claim 10 wherein the identifying means further 
comprises means for communicating with a transport layer of a protocol stack. 

30 12. A computer-readable medium having stored thereon computer-executable 

instructions for performing steps comprising: at the transport layer of a protocol stack 
residing on a first device in the network, detecting a transmission or receipt of data to or 
from a second device on the network; and in response to the transmission or receipt being 



detected, recording the transmission or receipt as an entry in a trace log, wherein the trace 
log is accessible to determine the volume of data traveling over a network. 

13. The computer-readable medium of claim 12, wherein the protocol stack is 
a TCP/IP stack. 
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14. The computer-readable medium of claim 12, having further computer- 
executable instructions for performing the step of detecting the presence of an 
input/output packet representing the transmission or receipt. 

15. A computer-readable medium having stored thereon computer-executable 
instructions for performing steps comprising: detecting the presence of an input/output 
packet requesting a transmission; searching the input/output request packet to determine 
the identity of the process that created the input/output request packet; and storing in a 
trace log an entry representing the transmission, wherein the entry comprises the identity 
of the process, and wherein the trace log is accessible to determine the volume of data 
being transmitted over thfc network. 



16. The computer-readable medium of claim 15, having further computer- 
20 executable instructions for performing the step of detecting the presence of the 
input/output packet at the transport layer of a protocol stack. 
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17. The computer-readable medium of claim 15, having further computer- 
executable instructions for performing the step of detecting an acknowledgment of the 
transmission; and in response to the detection of the acknowledgment, storing in the 
trace log an entry representing the completion of the transmission. 



18. A computer-readable medium having stored thereon computer-executable 
instructions for performingVhe steps comprising: detecting the presence of a packet for 
30 an input-output connection to a port; searching the packet to determine the identity of the 
process that created the packe\; and in response to the detection of a receipt of data at the 
port, storing in a trace log an entry representing the receipt of the data, wherein the entry 
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comprise&the process identification, and wherein the trace log is accessible to determine 
the volumeW the data being transmitted over the network. 

19. The computer-readable medium of claim 1 8, having further computer- 
executable instructions for performing the steps of: creating a connection object 
representing the opening of the port connection by the process; copying the process 
identification from the connection object into a transport control block associated with 
the port; and in response to the detection of the receipt of data at the port, copying the 
process identification into the trace log. 

20. The computer-readable medium of claim 18, having further computer- 
executable instructions for performing the step of copying the process identification from 
the connection object into the transport control block so that the process identification is 
contiguous with the rest of the data in the transport control block. 

2 1 . The computer-readable medium of claim 1 8, having further computer- 
executable instructions for performing the steps of: detecting the presence of an 
input/output request packet indicating that the data receipt is complete; and in response to 
the detection of the completion input/output request packet, storing in the trace log an 
entry representing the receipt of the data. 
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Appendix A: 
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Legend: Kt - Kernel Mode Time 
Ut - User Mode CPU Time 
PID - Process ID 
TID - Thread ED 

The following are the extended record fields for the respective events: 

• Process start - new Process Id, its Parent's Process id 

• Process end - current Process Id, its Parent's Process id, the image filename 
that it was running 

• Thread start - new thread Id, its Process Id 

• Thread end - current thread Id being terminated, its Process Id. 

• I/O read, I/O write - The signature of the disk where the I/O operation was 
done, the transfer size. 

• TCPSend - Source Address, Destination Address, Source port, Destination 
port, Size, Processld 



